JS: split InsufficientPasswordHash.qll

Author: Esben Sparre Andreasen

javascript/ql/src/semmle/javascript/security/dataflow/InsufficientPasswordHash.qll

@@ -1,29 +1,16 @@
 /**
- * Provides a taint tracking configuration for reasoning about password hashing with insufficient computational effort.
+ * Provides a taint tracking configuration for reasoning about
+ * password hashing with insufficient computational effort.
+ *
+ * Note, for performance reasons: only import this file if
+ * `InsufficientPasswordHash::Configuration` is needed, otherwise
+ * `InsufficientPasswordHashCustomizations` should be imported instead.
  */
 
 import javascript
-private import semmle.javascript.security.SensitiveActions
-private import semmle.javascript.frameworks.CryptoLibraries
 
 module InsufficientPasswordHash {
-  /**
-   * A data flow source for password hashing with insufficient computational effort.
-   */
-  abstract class Source extends DataFlow::Node {
-    /** Gets a string that describes the type of this data flow source. */
-    abstract string describe();
-  }
-
-  /**
-   * A data flow sink for password hashing with insufficient computational effort.
-   */
-  abstract class Sink extends DataFlow::Node { }
-
-  /**
-   * A sanitizer for password hashing with insufficient computational effort.
-   */
-  abstract class Sanitizer extends DataFlow::Node { }
+  import InsufficientPasswordHashCustomizations::InsufficientPasswordHash
 
   /**
    * A taint tracking configuration for password hashing with insufficient computational effort.
@@ -46,30 +33,4 @@ module InsufficientPasswordHash {
       node instanceof Sanitizer
     }
   }
-
-  /**
-   * A potential clear-text password, considered as a source for password hashing
-   * with insufficient computational effort.
-   */
-  class CleartextPasswordSource extends Source, DataFlow::ValueNode {
-    override SensitiveExpr astNode;
-
-    CleartextPasswordSource() { astNode.getClassification() = SensitiveExpr::password() }
-
-    override string describe() { result = astNode.describe() }
-  }
-
-  /**
-   * An expression used by a cryptographic algorithm that is not suitable for password hashing.
-   */
-  class InsufficientPasswordHashAlgorithm extends Sink {
-    InsufficientPasswordHashAlgorithm() {
-      exists(CryptographicOperation application |
-        application.getAlgorithm().isWeak() or
-        not application.getAlgorithm() instanceof PasswordHashingAlgorithm
-      |
-        this.asExpr() = application.getInput()
-      )
-    }
-  }
 }

javascript/ql/src/semmle/javascript/security/dataflow/InsufficientPasswordHashCustomizations.qll

@@ -0,0 +1,55 @@
+/**
+ * Provides default sources, sinks and sanitisers for reasoning about
+ * password hashing with insufficient computational effort, as well as
+ * extension points for adding your own.
+ */
+
+import javascript
+private import semmle.javascript.security.SensitiveActions
+private import semmle.javascript.frameworks.CryptoLibraries
+
+module InsufficientPasswordHash {
+  /**
+   * A data flow source for password hashing with insufficient computational effort.
+   */
+  abstract class Source extends DataFlow::Node {
+    /** Gets a string that describes the type of this data flow source. */
+    abstract string describe();
+  }
+
+  /**
+   * A data flow sink for password hashing with insufficient computational effort.
+   */
+  abstract class Sink extends DataFlow::Node { }
+
+  /**
+   * A sanitizer for password hashing with insufficient computational effort.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A potential clear-text password, considered as a source for password hashing
+   * with insufficient computational effort.
+   */
+  class CleartextPasswordSource extends Source, DataFlow::ValueNode {
+    override SensitiveExpr astNode;
+
+    CleartextPasswordSource() { astNode.getClassification() = SensitiveExpr::password() }
+
+    override string describe() { result = astNode.describe() }
+  }
+
+  /**
+   * An expression used by a cryptographic algorithm that is not suitable for password hashing.
+   */
+  class InsufficientPasswordHashAlgorithm extends Sink {
+    InsufficientPasswordHashAlgorithm() {
+      exists(CryptographicOperation application |
+        application.getAlgorithm().isWeak() or
+        not application.getAlgorithm() instanceof PasswordHashingAlgorithm
+      |
+        this.asExpr() = application.getInput()
+      )
+    }
+  }
+}